Security Policy/Implementation Plan

Isaac Foster

University of Advancing Technology

NTS201 Security Essentials

Introduction

The purpose of this security policy is to inform and advise about the proper courses of

action or nonaction to maintain the security of this company, both physically and digitally. To

make sure there are the least possible security breaches, all employees no matter how high in

authority must follow every aspect of this policy in all regards. Although it may seem tedious, it

is vital to maintain every bit of security integrity possible to preserve this company and facility

for as long as possible, as well as protecting the sensitive and vital information that is stored

within our facilities. If any part of this policy is violated by an individual, immediate disciplinary

action will be enforced, and after repeated infractions of this policy’s statements, the violator

will be terminated and will relinquish all rights to information and design to this company, as

well as any applicable legal action for the given case.

Software Support

To maintain security within the systems, all software must be fully and infallibly secure.

This security will be preserved by restricting the permissions of all users (besides IT and

administration) to not allow the downloading or execution of software from internet sources or

personal devices (external disks, USB drives, etc). Restricting these permissions will keep down

the likelihood of security breaches such as malware, viruses, worms, and other similar threats.

Not all users need administrative privileges, that’s why there is IT. In addition to not allowing

users to install whatever software they want, all software that needs to be installed or is being

requested to be installed will be presented to IT and examined before installation as well as

fully testing the software to confirm the compatibility with the destination system, to test for

possible security flaws in the software, and to make sure the listed functionality of the software

is true to it’s actual function as some software is designed to compromise the security of a

system.

Configuration and Change Management

As discussed above, no changes will be made to a system without the proper

documentation beforehand and temporary permissions granted by IT or the change being

made by IT. These changes could be relating to hardware, software, networking,

documentation, or any other kinds of changes. Unauthorized changes could result in damaging

the security integrity of the system, and could then lead to much bigger problems in future

events. Configuration and changes applied to a networked system must consider what other

systems would be effected by the applied change (what would be the “domino effect” of the

change). After applying a change, small or large, it must be properly documented for later

referral and all systems must be checked and re-tested for security integrity after a large

change has been applied, and any changes in security must be documented as well as fixed

should there be a problem of any sort.

Backups

All files will be backed up bi-weekly to an off-site data storage facility which will adhere

to the entirety of this policy’s outlines. Every off-week when files are not being backed up, the

most recently backed up files will be tested for their usability to maintain the availability of

functional data in the event of a disaster. The most recent backups will be stored on a securely
encrypted cloud server to make them easier to access in the case of data loss, but will be

archived on physical tapes when new data is being stored onto the cloud server. There will be

very limited access to these files, only authorized IT workers and designated Disaster Recovery

personnel will be able to access any stored or archived data.

Media Controls

Covered in media controls is the physical and digital protection of media and devices, as

well as providing security to mitigate the loss of confidentiality or accountability. The types of

media controls are discussed below.

Marking

One form of controlling media is physically labeling whatever the media is,

tagging it with vital information about the media device in the form of a barcode and possible

special handling instructions. Coloring the labels significantly aids in the organization of physical

drives and various media like the archived back up files. Properly trained individuals are

required for handling such media so it is correctly placed and handled carefully so that any vital

information is preserved.

Logging

In conjunction with Marking, Logging supports accountability with physical

devices. Using the barcodes for each device, anything can be checked out and logged under a

user’s name or identification number so that it is always recorded who has what device and

how long they’ve had it, as well as what their purpose is for checking out the device or other
hardware. Random checks will occur to make sure all checked out items are in the possession of

those who checked them out or are accounted for in the facility’s inventory, verifying that no

items have been misplaced or singed out to the wrong individuals.

Integrity Verification

To maintain security integrity, all information that is read into a system

will be scanned and verified through error detection/correction or cryptographic software to

determine if the information is being read correctly and if the information has been subjected

to any modifications (deliberate or incidental). In addition to this, backup integrity shall be

tested periodically to maintain the availability of functioning up-to-date data if it should be

needed to restore operations to a state of normalcy.

Physical Access Protection

In an effort to prevent data or media loss, physical security shall be a top-

notch priority. All information and media stored on-site will be secured at all times within a

multi-layered security building. Any and all media/information will be stored within multiple

layers of badge-readers and biometric scanners, as well as levels of clearance allowed to

varying levels of personnel, in addition to physical security personnel and trained

security/bomb threat K-9 units stationed together at access points and patrolling the grounds

at all times. Off-site data and media will possess the same level of security, physical guards,

cameras covering every angle of the interior and exterior, three-step verification for personnel

attempting to enter (guard checking ID and clearance level, electronic badge-reader, and

biometric locks), etc. Finally, all physical media that is being transported between facilities shall
be accompanied by 2 unmarked guard vehicles as well as having guards riding with the sensitive

media.

Environmental Protection

As often as possible, data is stored digitally to remove the risk of physical

damage to a device or other form of media, However, some devices are still needed or helpful

such as CDs, DVDs, and other such optical media are very vulnerable to temperature, liquid, or

dust damage, all of which can corrupt any and all data that is stored on that media. Special

handling and storage procedures will be followed to maintain the physical security of these

types of media.

Disposition

When media has to be disposed of, it is important to make sure that it is done so

properly so that information is not unintentionally put into unauthorized control. The only sure

way of doing so is destruction. Therefore, any and all media that is being purposefully erased

after being cleared by all higher levels of management and control, must be sanitized and

shredded (when applicable), then sent off to be disposed of through means of incineration.

Documentation

As one of the most widely-disliked parts of an individual’s job, documentation is one of

the most important aspects of maintaining security. Proper documentation prevents security

oversights and keeps track of anything and everything going on within the facility, providing

constant quality assurance for current and beginning employees so they know what they can be
doing to improve their work. Documenting everything makes it nearly impossible to lose data

without a way of finding how it was lost, as well as constantly enforcing consistency in all

aspects of one’s work. Other documentation includes security/contingency plans, risk analyses,

and security policies such as this. Every piece of documentation is another bit of work that no

one wants to do, but without it there would be no chance of having reliable ways to review

what may or may not have caused any given issue.

Maintenance

In all cases, systems must be maintained. Physically systems must be periodically

cleaned out and checked for updates, as well as replacing or upgrading any parts that have

passed their time of usefulness. These physical maintenance jobs fall to the IT department or to

a 3rd party contract where they will do periodic physical check-ups on each individual system to

make sure their performance level is not being negatively effected by any physical issues.

Another kind of issues that may arise are logical issues, which now only falls to IT. Logical issues

may include bugs, malware, adware, or any other kind of virus. An unauthorized individual

attempting to perform maintenance on a system is a large security risk as they may

unintentionally mess something up and leave it that way which leaves a door wide open into

our network. Many systems come with pre-installed maintenance accounts that are meant to

be used for those purposes only, and they will stay that way by maintenance personnel

changing their passwords (must be complex, i.e. capital and lowercase, number(s) and special

character) so that unauthorized users cannot access these accounts. If this account is going to
be used remotely, then authentication data will have to be verified through multiple channels

before this remote access is allowed, preserving security.

Summary

While these policy’s may seem like a hassle to deal with, they are all put in place for the

safety and security of the employees as well as the safety and security of the information

stored in our facility. If all of these policy’s are adequately followed, there will be a large

amount of security breaches avoided simply by doing everything by the book, not taking any

risks, and not cutting any corners.

Sources

Merkow, M. S., & Breithaupt, J. (2014). Information security: Principles and practices (2nd
ed.). Retrieved March 18, 2016, from
https://bookshelf.vitalsource.com/#/books/9781323249338/cfi/20!/4/2/4/2/2@0:0
Chapter 9